Re: working for wheezy-security until wheezy-lts starts

2016-02-29 Thread Guido Günther 
On Tue, Mar 01, 2016 at 07:15:28AM +, Mike Gabriel wrote:
[..snip..]
> >>Issues that are unfixed in wheezy but fixed in squeeze:
> >>* aptdaemon-> CVE-2015-1323
> >>* cakephp  -> TEMP-000-698CF7
> >>* dhcpcd   -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700
> >>* eglibc   -> CVE-2014-9761
> >>* extplorer-> CVE-2015-0896
> >>* fuseiso  -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E
> >>* gosa -> CVE-2014-9760 CVE-2015-8771
> >>* gtk+2.0  -> CVE-2013-7447
> >>* icu  -> CVE-2015-2632
> >>* imagemagick  -> TEMP-0773834-5EB6CF
> >>* imlib2   -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764
> >>* inspircd -> CVE-2015-8702
> >>* libebml  -> CVE-2015-8790 CVE-2015-8791
> >>* libidn   -> CVE-2015-2059 TEMP-000-54045E
> >>* libmatroska  -> CVE-2015-8792
> >>* libsndfile   -> CVE-2014-9756 CVE-2015-7805
> >>* libstruts1.2-java-> CVE-2015-0899
> >>* libtorrent-rasterbar -> CVE-2015-5685
> >>* mono -> CVE-2009-0689
> >>* nss  -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938
> >>* optipng  -> CVE-2015-7801
> >>* phpmyadmin   -> CVE-2016-2039 CVE-2016-2041
> >>* pixman   -> CVE-2014-9766
> >>* python-tornado   -> CVE-2014-9720
> >>* roundcube-> CVE-2015-8770
> >>* srtp -> CVE-2015-6360
> >>* tomcat6  -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033
> >>CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227
> >>CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351
> >>CVE-2016-0706 CVE-2016-0714 CVE-2016-0763
> >
> >I'm focusing on these picking older ones over newer ones to not stomp
> >onto the security teams toes.
> 
> Do you announce anywhere, that you will start working on a specific package?
> Wouldn't it make sense to put all the packages listed below into
> data/dsa-needed.txt (with approval from the Security Team) and then put our
> names behind those package names?

In order to avoid double work I added these to dsa-needed.txt and put my
name on the line.

Cheers,
 -- Guido

Re: working for wheezy-security until wheezy-lts starts

2016-02-29 Thread Mike Gabriel 

Hi Guido,

On  Mo 29 Feb 2016 21:54:11 CET, Guido Günther wrote:


  * prepare a fixed package
  * test the package
  * send a .debdiff to t...@security.debian.org
  * wait for feedback and ideally permission to upload to wheezy-security


That's what I'm doing at the moment (sending the debdiff to the bug
report in case there is one as well) for issues that are unfixed (not
no-dsa, see below).


Ok.



[..snip..]


Issues that are unfixed in wheezy but fixed in squeeze:
* aptdaemon-> CVE-2015-1323
* cakephp  -> TEMP-000-698CF7
* dhcpcd   -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700
* eglibc   -> CVE-2014-9761
* extplorer-> CVE-2015-0896
* fuseiso  -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E
* gosa -> CVE-2014-9760 CVE-2015-8771
* gtk+2.0  -> CVE-2013-7447
* icu  -> CVE-2015-2632
* imagemagick  -> TEMP-0773834-5EB6CF
* imlib2   -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764
* inspircd -> CVE-2015-8702
* libebml  -> CVE-2015-8790 CVE-2015-8791
* libidn   -> CVE-2015-2059 TEMP-000-54045E
* libmatroska  -> CVE-2015-8792
* libsndfile   -> CVE-2014-9756 CVE-2015-7805
* libstruts1.2-java-> CVE-2015-0899
* libtorrent-rasterbar -> CVE-2015-5685
* mono -> CVE-2009-0689
* nss  -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938
* optipng  -> CVE-2015-7801
* phpmyadmin   -> CVE-2016-2039 CVE-2016-2041
* pixman   -> CVE-2014-9766
* python-tornado   -> CVE-2014-9720
* roundcube-> CVE-2015-8770
* srtp -> CVE-2015-6360
* tomcat6  -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033
CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227
CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351
CVE-2016-0706 CVE-2016-0714 CVE-2016-0763


I'm focusing on these picking older ones over newer ones to not stomp
onto the security teams toes.


Do you announce anywhere, that you will start working on a specific  
package? Wouldn't it make sense to put all the packages listed below  
into data/dsa-needed.txt (with approval from the Security Team) and  
then put our names behind those package names?


@Security Team: Please guide the LTS contributors to a good way of  
supporting you. Would it make sense to add above packages to  
data/dsa-needed.txt so that then LTS contributors can grab packages  
from the dsa-needed.txt file and work on fixing the listed issues?




Issues that are no-dsa in wheezy but fixed in squeeze:
* augeas   -> CVE-2012-0786 CVE-2012-0787
* binutils -> TEMP-000-A2945B
* busybox  -> TEMP-0803097-A74121
* chrony   -> CVE-2016-1567
* dbconfig-common  -> TEMP-0805638-5AC56F
* dwarfutils   -> CVE-2015-8750
* foomatic-filters -> TEMP-000-ACBC4C
* imagemagick  -> CVE-2014-8354 CVE-2014-8355 CVE-2014-8562
CVE-2014-8716 TEMP-0806441-76CD60 TEMP-0806441-CB092C
* libemail-address-perl -> TEMP-000-F41FA7
* libfcgi-perl -> CVE-2012-6687
* librsvg  -> CVE-2015-7557
* libsndfile   -> CVE-2014-9496
* libunwind-> CVE-2015-3239
* openslp-dfsg -> CVE-2012-4428
* openssh  -> CVE-2015-5352 CVE-2015-5600
* php5 -> CVE-2011-0420 CVE-2011-1657
* postgresql-8.4   -> CVE-2015-3165 CVE-2015-3166 CVE-2015-3167
CVE-2015-5288
* python-scipy -> CVE-2013-4251
* python2.6-> CVE-2011-4940 CVE-2013-4238 CVE-2014-1912
* qt4-x11  -> CVE-2015-0295 CVE-2015-1858 CVE-2015-1859
CVE-2015-1860
* remind   -> CVE-2015-5957
* ruby1.8  -> CVE-2009-5147
* ruby1.9.1-> CVE-2009-5147
* t1utils  -> CVE-2015-3905
* texlive-extra-> CVE-2012-2120
* tomcat6  -> CVE-2013-4590
* vorbis-tools -> CVE-2014-9638 CVE-2014-9639 CVE-2014-9640
CVE-2015-6749
"""


I think these would be adressed via stable point release updates in
wheezy/jessie rather than going via the security team.


Yeah, if at all. I just listed them for completeness sake.

Mike

--

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunwea...@debian.org, http://sunweavers.net



pgpilfX2MIOoU.pgp
Description: Digitale PGP-Signatur

maintainer feedback on CVE-2014-8350 (smarty3)

2016-02-29 Thread Mike Gabriel 

Hi all,

I have just looked at what it needs to fix CVE-2014-8350 for smarty3  
[1]. Unfortunately, the fix [2] from between 3.1.20 and 3.1.21 is not  
trivial to backport to wheezy's 3.1.10 version.


The packages that depend on smarty3 in Debian wheezy are these:

  o gosa + its plugins
  o slbackup-php
  o collabtive

My recommendation 1 for wheezy and wheezy-lts is to continue providing  
support for smarty3 (as Debian Edu uses gosa and slbackup-php and I  
know various wheezy based installations of Debian Edu).


My recommendation 2 for wheezy-lts (or even wheezy-security) is to  
take smarty3 3.1.21-1 from Debian jessie and provide that on Debian  
wheezy.


From experience, I think to remember that gosa and slbackup-php from  
wheezy work fine with smarty3 3.1.21. However, if feedback from the  
security team and other LTS contributors reaches a consensus to go the  
version bump path, I would of course set up gosa and slbackup-php for  
being really sure on what I remember.


Furthermore, I would set up a test instance of collabtive on wheezy,  
as well and check its functionality.


Greets,
Mike


[1] https://security-tracker.debian.org/tracker/CVE-2014-8350
[2]  
https://github.com/smarty-php/smarty/commit/279bdbd3521cd717cae6a3ba48f1c3c6823f439d.patch

--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de


pgpwPjeOjKtTD.pgp
Description: Digitale PGP-Signatur

[SECURITY] [DLA 445-1] squid3 security update

2016-02-29 Thread santiagorr 
Package: squid3
Version: 3.1.6-1.2+squeeze6
CVE ID : CVE-2016-2569 CVE-2016-2571
Debian Bug : 816011

Several security issues have been discovered in the Squid caching proxy.

CVE-2016-2569

Squid wrongly checked boundaries of String data, making it possible
for remote attackers to cause a Denial-of-Service by a crafted HTTP
Vary header. Issue found by Mathias Fischer from Open Systems AG.

CVE-2016-2571

Squid was susceptible to a Denial of Service caused by storing
certain kind of data after failing to parse a response. Issue
discovered by Alex Rousskov from The Measurement Factory

For Debian 6 "Squeeze", these issues have been fixed in squid3 version
3.1.6-1.2+squeeze6. We recommend you to upgrade your squid3 packages.

Learn more about the Debian Long Term Support (LTS) Project and how to
apply these updates at: https://wiki.debian.org/LTS/


signature.asc
Description: Digital signature

Re: Wiki update LTS/Using and EOL announcement

2016-02-29 Thread Paul Gevers 
Hi Markus,

On 29-02-16 21:56, Markus Koschany wrote:
> If it helps I could remove the "Debian 7 Wheezy" part and write
> "we recommend that you upgrade your systems".

That fully resolves the issue I was having with the text.

Paul



signature.asc
Description: OpenPGP digital signature

Re: Wiki update LTS/Using and EOL announcement

2016-02-29 Thread Markus Koschany 
Am 29.02.2016 um 20:27 schrieb Paul Gevers:
> Hi Markus,
> 
> On 29-02-16 20:25, Matus UHLAR - fantomas wrote:
>> you only can upgrade to wheezy directly. upgrade accross versions is not
>> supported.
> 
> I know, but that is not what I meant. I meant (and wrote), upgrade via
> wheezy.

Hi Paul,

the target audience for this announcement are Squeeze LTS users who
might have missed the recent Debian news [1] or who are otherwise
unaware that Squeeze LTS ends after five years. Debian only supports
upgrades to consecutive releases. Upgrading to Wheezy is the right
choice, no matter if you decide to upgrade to the current stable release
again. If it helps I could remove the "Debian 7 Wheezy" part and write
"we recommend that you upgrade your systems". The important thing is,
and I hope this announcement makes it sufficiently clear, Squeeze LTS
will be no longer supported from now on, please upgrade at your earliest
convenience.

Regards,

Markus


[1] https://www.debian.org/News/2016/20160212




signature.asc
Description: OpenPGP digital signature

Re: working for wheezy-security until wheezy-lts starts

2016-02-29 Thread Guido Günther 
Hi,
On Mon, Feb 29, 2016 at 03:25:46PM +, Mike Gabriel wrote:
> For this, we can run bin/lts-needs-forward-port.py from the secure-testing
> repo and see what issues we fixed in squeeze and port those fixes to the
> package version in wheezy-security. Package updates must be coordinated with
> the Debian Security Team, not within the LTS team, though:
> 
>   * prepare a fixed package
>   * test the package
>   * send a .debdiff to t...@security.debian.org
>   * wait for feedback and ideally permission to upload to wheezy-security

That's what I'm doing at the moment (sending the debdiff to the bug
report in case there is one as well) for issues that are unfixed (not
no-dsa, see below).

[..snip..]

> Issues that are unfixed in wheezy but fixed in squeeze:
> * aptdaemon-> CVE-2015-1323
> * cakephp  -> TEMP-000-698CF7
> * dhcpcd   -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700
> * eglibc   -> CVE-2014-9761
> * extplorer-> CVE-2015-0896
> * fuseiso  -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E
> * gosa -> CVE-2014-9760 CVE-2015-8771
> * gtk+2.0  -> CVE-2013-7447
> * icu  -> CVE-2015-2632
> * imagemagick  -> TEMP-0773834-5EB6CF
> * imlib2   -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764
> * inspircd -> CVE-2015-8702
> * libebml  -> CVE-2015-8790 CVE-2015-8791
> * libidn   -> CVE-2015-2059 TEMP-000-54045E
> * libmatroska  -> CVE-2015-8792
> * libsndfile   -> CVE-2014-9756 CVE-2015-7805
> * libstruts1.2-java-> CVE-2015-0899
> * libtorrent-rasterbar -> CVE-2015-5685
> * mono -> CVE-2009-0689
> * nss  -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938
> * optipng  -> CVE-2015-7801
> * phpmyadmin   -> CVE-2016-2039 CVE-2016-2041
> * pixman   -> CVE-2014-9766
> * python-tornado   -> CVE-2014-9720
> * roundcube-> CVE-2015-8770
> * srtp -> CVE-2015-6360
> * tomcat6  -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033
> CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227
> CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351
> CVE-2016-0706 CVE-2016-0714 CVE-2016-0763

I'm focusing on these picking older ones over newer ones to not stomp
onto the security teams toes.

> 
> Issues that are no-dsa in wheezy but fixed in squeeze:
> * augeas   -> CVE-2012-0786 CVE-2012-0787
> * binutils -> TEMP-000-A2945B
> * busybox  -> TEMP-0803097-A74121
> * chrony   -> CVE-2016-1567
> * dbconfig-common  -> TEMP-0805638-5AC56F
> * dwarfutils   -> CVE-2015-8750
> * foomatic-filters -> TEMP-000-ACBC4C
> * imagemagick  -> CVE-2014-8354 CVE-2014-8355 CVE-2014-8562
> CVE-2014-8716 TEMP-0806441-76CD60 TEMP-0806441-CB092C
> * libemail-address-perl -> TEMP-000-F41FA7
> * libfcgi-perl -> CVE-2012-6687
> * librsvg  -> CVE-2015-7557
> * libsndfile   -> CVE-2014-9496
> * libunwind-> CVE-2015-3239
> * openslp-dfsg -> CVE-2012-4428
> * openssh  -> CVE-2015-5352 CVE-2015-5600
> * php5 -> CVE-2011-0420 CVE-2011-1657
> * postgresql-8.4   -> CVE-2015-3165 CVE-2015-3166 CVE-2015-3167
> CVE-2015-5288
> * python-scipy -> CVE-2013-4251
> * python2.6-> CVE-2011-4940 CVE-2013-4238 CVE-2014-1912
> * qt4-x11  -> CVE-2015-0295 CVE-2015-1858 CVE-2015-1859
> CVE-2015-1860
> * remind   -> CVE-2015-5957
> * ruby1.8  -> CVE-2009-5147
> * ruby1.9.1-> CVE-2009-5147
> * t1utils  -> CVE-2015-3905
> * texlive-extra-> CVE-2012-2120
> * tomcat6  -> CVE-2013-4590
> * vorbis-tools -> CVE-2014-9638 CVE-2014-9639 CVE-2014-9640
> CVE-2015-6749
> """

I think these would be adressed via stable point release updates in
wheezy/jessie rather than going via the security team.

Cheers,
 -- Guido

Re: Wiki update LTS/Using and EOL announcement

2016-02-29 Thread Paul Gevers 
Hi Markus,

On 29-02-16 20:25, Matus UHLAR - fantomas wrote:
> you only can upgrade to wheezy directly. upgrade accross versions is not
> supported.

I know, but that is not what I meant. I meant (and wrote), upgrade via
wheezy.

Paul



signature.asc
Description: OpenPGP digital signature

Re: Wiki update LTS/Using and EOL announcement

2016-02-29 Thread Matus UHLAR - fantomas 

On 29-02-16 12:35, Markus Koschany wrote:

We recommend that you upgrade your systems to Debian 7 "Wheezy".


On 29.02.16 19:59, Paul Gevers wrote:

/me wonders, do we really recommend that? I would say we recommend our
users to upgrade to the current stable (via Wheezy), no? And wheezy-lts
is there for those that can't or won't upgrade now from wheezy to jessie
(maybe coming from squeeze, true). But if you are upgrading, why not do
it "right" if you can?


you only can upgrade to wheezy directly. 
upgrade accross versions is not supported.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...

Accepted squid3 3.1.6-1.2+squeeze6 (source all amd64) into squeeze-lts

2016-02-29 Thread Santiago Ruano Rincón 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 29 Feb 2016 20:02:20 +0100
Source: squid3
Binary: squid3 squid3-dbg squid3-common squidclient squid-cgi
Architecture: source all amd64
Version: 3.1.6-1.2+squeeze6
Distribution: squeeze-lts
Urgency: medium
Maintainer: Luigi Gangitano 
Changed-By: Santiago Ruano Rincón 
Description: 
 squid-cgi  - A full featured Web Proxy cache (HTTP proxy) - control CGI
 squid3 - A full featured Web Proxy cache (HTTP proxy)
 squid3-common - A full featured Web Proxy cache (HTTP proxy) - common files
 squid3-dbg - A full featured Web Proxy cache (HTTP proxy) - Debug symbols
 squidclient - A full featured Web Proxy cache (HTTP proxy) - control utility
Changes: 
 squid3 (3.1.6-1.2+squeeze6) squeeze-lts; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS Team.
   * Fix CVE-2016-2569: Denial-of-Service by wrongly handling of String data.
   * Fix CVE-2016-2571: DoS cuased by storing a certain kind of data after
 failing to parse a response.
Checksums-Sha1: 
 6d36e7b0a91eea83aa6c02c7fa8a92f1813c50b3 1910 squid3_3.1.6-1.2+squeeze6.dsc
 955aa00419c755baf10516d13f9666c30ce90e1a 33489 
squid3_3.1.6-1.2+squeeze6.diff.gz
 5ee6a8fefe0c64b22fb5175c5ecf90fd54d98428 195328 
squid3-common_3.1.6-1.2+squeeze6_all.deb
 1519251d39c6d67cdfc6a80018d7a3ba1e247be0 1508262 
squid3_3.1.6-1.2+squeeze6_amd64.deb
 9a6d763d531d53461e791e9823a401ed6607ed6a 5638330 
squid3-dbg_3.1.6-1.2+squeeze6_amd64.deb
 234673523bb1ca8d99826c61196b372dab3aa33a 106340 
squidclient_3.1.6-1.2+squeeze6_amd64.deb
 dcb8dae20f2a347f26109c856459436659ce8a62 109020 
squid-cgi_3.1.6-1.2+squeeze6_amd64.deb
Checksums-Sha256: 
 b5d0b4d4daf91feb216b968ab4ae6c25bdb979b6ace8ea24024ef8d45c37d817 1910 
squid3_3.1.6-1.2+squeeze6.dsc
 7357a72d607a6bb2b85023c404f76734ea55c6cc7b7e2504aaad8037d8ae1c37 33489 
squid3_3.1.6-1.2+squeeze6.diff.gz
 68d4662a3dbd4ef8c4c03a2c37b7b663dc253b3df821900b6ae2c95eafa5a099 195328 
squid3-common_3.1.6-1.2+squeeze6_all.deb
 3b0cd7bee8049ffede99f32a227042640d0f53bbcff5f8d2d60b1d0680be71bb 1508262 
squid3_3.1.6-1.2+squeeze6_amd64.deb
 089acffd35519bf64761a4ccbea5db132c96ef45d7c57ea4f69803eaf1dd4fbc 5638330 
squid3-dbg_3.1.6-1.2+squeeze6_amd64.deb
 897564979fcee6d5419bffcb1dd6737b105dbe7bcb62b9b182520558321cf431 106340 
squidclient_3.1.6-1.2+squeeze6_amd64.deb
 43e4e7d44924230c20ad758df55950e01b671424e3aa717c236aac3b9ddb3de9 109020 
squid-cgi_3.1.6-1.2+squeeze6_amd64.deb
Files: 
 e65056df56afad2a2143548dc1725211 1910 web optional 
squid3_3.1.6-1.2+squeeze6.dsc
 aa58ba7c8c6607422017c5fb871f18f6 33489 web optional 
squid3_3.1.6-1.2+squeeze6.diff.gz
 40a89a9d6e5c0eb9ac56b53ef9810da8 195328 web optional 
squid3-common_3.1.6-1.2+squeeze6_all.deb
 1d54fac3381094d536b3911e292e3d31 1508262 web optional 
squid3_3.1.6-1.2+squeeze6_amd64.deb
 0f4457261576d352fbf78e5ea820fab9 5638330 debug extra 
squid3-dbg_3.1.6-1.2+squeeze6_amd64.deb
 062772d89a5faa04b5aaf34cc0125d67 106340 web optional 
squidclient_3.1.6-1.2+squeeze6_amd64.deb
 bb0b97e7e78db560e573619a9db3a9d0 109020 web optional 
squid-cgi_3.1.6-1.2+squeeze6_amd64.deb

-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJW1JfdAAoJEN5v/bjI1ki9zbQQALbhlRT9vaj7Zo9GhIJVv10q
A0xQdydd2atFRmCmdZXU9eWsbbG5PlgVaZfVn+cZgLtzq6alzDlSJC07jGDBhXJW
3MJLiNBnPr+1JWg1ZCw+msf8dbPkLn0r2YJx1boLqKoQ7zcQXe8eg+2bOfozdGsB
99IQIpT53nVNqGvWASb4Ei4GHsmDcP/GFUWam5+FbxTA5LWVhoZkjTFK8Oo3BIBB
ohktBVYwZkvw9IGsNl088glTPLyKLhx8ioda2xTbzTthYFqT0zuFaCGuFNOyS715
f/ZwK5ri2CHH0Jm4SPkfMfFXcJiIDdhUVfzRDWad8JIJNstEnqRgNssAVJvoOp0i
YVL+qy9+751JkaVW91RMyz/dCuC1HbAyRFw7i7PDxmSrt2kk1kwfVIW7WCaJoR3f
ovW0kCUmp/Fl7yTWB3Xyg/pI0wY8Zvkmx25kd01kgdsjtyczVPs5t9E4scWKiCpx
NI7shWaG+vKO12ZNd3FLzzFGXrUOVim+Je+mQ7Xxsu6Wg9DAw/gUoSuP5Oh/KwaZ
2GbttjKpaHz4PJ0Kx4ZBH5cQen1PfjyzVOupox5jwsLbfkebys+n+iBQcuiRnLZb
pGwfXQzmvqTTAbR5BDYAiexDLBEhUfH2Glyf4g5/63hGs5hu4NQdLSs+M186Rv5s
y5UxWQ1I4oZygznXkrB8
=9I/t
-END PGP SIGNATURE-

Re: Wiki update LTS/Using and EOL announcement

2016-02-29 Thread Paul Gevers 
Hi Markus,

On 29-02-16 12:35, Markus Koschany wrote:
> We recommend that you upgrade your systems to Debian 7 "Wheezy".

/me wonders, do we really recommend that? I would say we recommend our
users to upgrade to the current stable (via Wheezy), no? And wheezy-lts
is there for those that can't or won't upgrade now from wheezy to jessie
(maybe coming from squeeze, true). But if you are upgrading, why not do
it "right" if you can?

Paul



signature.asc
Description: OpenPGP digital signature

[SECURITY] [DLA 444-1] php5 security update

2016-02-29 Thread Thorsten Alteholz 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: php5
Version: 5.3.3.1-7+squeeze29
CVE ID : CVE-2015-2305 CVE-2015-2348

CVE-2015-2305
   Integer overflow in the regcomp implementation in the Henry
   Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on
   32-bit platforms, as used in NetBSD through 6.1.5 and other
   products, might allow context-dependent attackers to execute
   arbitrary code via a large regular expression that leads to
   a heap-based buffer overflow.
CVE-2015-2348
   The move_uploaded_file implementation in
   ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x
   before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon
   encountering a \x00 character, which allows remote attackers to
   bypass intended extension restrictions and create files with
   unexpected names via a crafted second argument.
   NOTE: this vulnerability exists because of an incomplete fix for
 CVE-2006-7243.
CVE-2016-tmp, Bug #71039
   exec functions ignore length but look for NULL termination
CVE-2016-tmp, Bug #71089
   No check to duplicate zend_extension
CVE-2016-tmp, Bug #71201
   round() segfault on 64-bit builds
CVE-2016-tmp, Bug #71459
   Integer overflow in iptcembed()
CVE-2016-tmp, Bug #71354
   Heap corruption in tar/zip/phar parser
CVE-2016-tmp, Bug #71391
   NULL Pointer Dereference in phar_tar_setupmetadata()
CVE-2016-tmp, Bug #70979
   Crash on bad SOAP request

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJW1JDjXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHhsAP/01tI8DLJZXu8dDolHB//B1d
SHOYxKZO7Y3vidVXyyGQdJ+WBai3Ho/yAPptNZpSb6ml9pQBV0atO9n2AYKOEFTo
We3L8aEk1sUUC9PQnrT9z7yXOkAxrh/h09IQL1GtOCzZqSq1TXhqu7M6OvVx+m0T
PCLY98kBeiGOkuccA9KkPBBMTkoq/T0MwWpzFB+vXHa5lc3p4BJRvu/7xvNiaSoh
V4m2ebLInGk8C4yrRRJBl/vCJ4fUhBzCePhBhx/IkEcH0WmGuPv+Zh00UMOAaXZq
5tBaxW37bckg8MzlTbxuIBz6aoooVFzqfGfQrTr2MpM8U/QUOyu9Ew53HDQR5txb
nU6odNJVv5gl1qk/IziTUep5Tysqu5ZuN2B6HvOSBJBUaM0zlt1yU2csx1ZYnKN9
LGUsWkXNEIN/eQ3BraGRD4QxAs8CWy+U+JvElsA1FG3aexeO/OZS+nATWzencqmh
81JuOzgnkqvy5e5Jz6zJwK8ogDQ0dYtBlVzZ4SKGOLgTH2GxJVLryV53dv57pJWo
eSk5IpAacYvmyiIIutVtnosifpO0InbKMml79UwjvtSY1wiZj6Z1nXqF+aaxeGpu
4FNiiwVfpocpgncjTy+NKjUSJKOaKYi7A1WHsM1FBn38zvjE0G3qQm0ocQD625Eu
/Vs7RK+4B1jxVZDH5of2
=xV7K
-END PGP SIGNATURE-

working for wheezy-security until wheezy-lts starts

2016-02-29 Thread Mike Gabriel 

Hi all,

as of today, the Debian squeeze LTS support will cease and squeeze  
will finally enter the archived archives of Debian.


.oO( /me gets out his handkerchief ...)

As (paid) LTS contributor you may wonder what to do next, esp. until  
the official Debian wheezy LTS support period starts on 26th April  
2016. At least I did wonder about that, today...


One thing, we can do, I guess, is helping out with the Debian Security  
Team regarding package updates in Debian wheezy.


For this, we can run bin/lts-needs-forward-port.py from the  
secure-testing repo and see what issues we fixed in squeeze and port  
those fixes to the package version in wheezy-security. Package updates  
must be coordinated with the Debian Security Team, not within the LTS  
team, though:


  * prepare a fixed package
  * test the package
  * send a .debdiff to t...@security.debian.org
  * wait for feedback and ideally permission to upload to wheezy-security

(Is the above said correct? Please elaborate, if not).

Currently, we have these candidates of potentially  
easy-to-fix-in-wheezy packages:


"""
Issues that are unfixed in wheezy but fixed in squeeze:
* aptdaemon-> CVE-2015-1323
* cakephp  -> TEMP-000-698CF7
* dhcpcd   -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700
* eglibc   -> CVE-2014-9761
* extplorer-> CVE-2015-0896
* fuseiso  -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E
* gosa -> CVE-2014-9760 CVE-2015-8771
* gtk+2.0  -> CVE-2013-7447
* icu  -> CVE-2015-2632
* imagemagick  -> TEMP-0773834-5EB6CF
* imlib2   -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764
* inspircd -> CVE-2015-8702
* libebml  -> CVE-2015-8790 CVE-2015-8791
* libidn   -> CVE-2015-2059 TEMP-000-54045E
* libmatroska  -> CVE-2015-8792
* libsndfile   -> CVE-2014-9756 CVE-2015-7805
* libstruts1.2-java-> CVE-2015-0899
* libtorrent-rasterbar -> CVE-2015-5685
* mono -> CVE-2009-0689
* nss  -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938
* optipng  -> CVE-2015-7801
* phpmyadmin   -> CVE-2016-2039 CVE-2016-2041
* pixman   -> CVE-2014-9766
* python-tornado   -> CVE-2014-9720
* roundcube-> CVE-2015-8770
* srtp -> CVE-2015-6360
* tomcat6  -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033  
CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227  
CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351  
CVE-2016-0706 CVE-2016-0714 CVE-2016-0763


Issues that are no-dsa in wheezy but fixed in squeeze:
* augeas   -> CVE-2012-0786 CVE-2012-0787
* binutils -> TEMP-000-A2945B
* busybox  -> TEMP-0803097-A74121
* chrony   -> CVE-2016-1567
* dbconfig-common  -> TEMP-0805638-5AC56F
* dwarfutils   -> CVE-2015-8750
* foomatic-filters -> TEMP-000-ACBC4C
* imagemagick  -> CVE-2014-8354 CVE-2014-8355 CVE-2014-8562  
CVE-2014-8716 TEMP-0806441-76CD60 TEMP-0806441-CB092C

* libemail-address-perl -> TEMP-000-F41FA7
* libfcgi-perl -> CVE-2012-6687
* librsvg  -> CVE-2015-7557
* libsndfile   -> CVE-2014-9496
* libunwind-> CVE-2015-3239
* openslp-dfsg -> CVE-2012-4428
* openssh  -> CVE-2015-5352 CVE-2015-5600
* php5 -> CVE-2011-0420 CVE-2011-1657
* postgresql-8.4   -> CVE-2015-3165 CVE-2015-3166 CVE-2015-3167  
CVE-2015-5288

* python-scipy -> CVE-2013-4251
* python2.6-> CVE-2011-4940 CVE-2013-4238 CVE-2014-1912
* qt4-x11  -> CVE-2015-0295 CVE-2015-1858 CVE-2015-1859  
CVE-2015-1860

* remind   -> CVE-2015-5957
* ruby1.8  -> CVE-2009-5147
* ruby1.9.1-> CVE-2009-5147
* t1utils  -> CVE-2015-3905
* texlive-extra-> CVE-2012-2120
* tomcat6  -> CVE-2013-4590
* vorbis-tools -> CVE-2014-9638 CVE-2014-9639 CVE-2014-9640  
CVE-2015-6749

"""

I am posting this CVE/package list here on purpose, because the said  
script may not be working anymore, once the squeeze Debian package  
repo section has been moved to archive.debian.org.


Furthermore, as it seems, we need to modify some bits and pieces in  
the secure-testing repo to get our workflow up-and-running for Debian  
wheezy LTS. Is anyone already working on that? What is the current  
status?


Has there already been a discussion that I am not aware of about how  
the LTS team can work on wheezy-security updates in a coordinated  
fashion until the 26th of April? If there has not been a discussion,  
yet, we should sort this out during this week. My proposal would be to  
prepare the Debian wheezy LTS workflow in the secure-testing SVN repo,  
so that our upcoming workflow can be very similar to what we are used  
to. For the interim phase until the 26th

[SECURITY] [DLA 443-1] bsh security update

2016-02-29 Thread Markus Koschany 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: bsh
Version: 2.0b4-12+deb6u1
CVE ID : CVE-2016-2510

A remote code execution vulnerability was found in BeanShell, an
embeddable Java source interpreter with object scripting language
features.

CVE-2016-2510:
An application that includes BeanShell on the classpath may be
vulnerable if another part of the application uses Java
serialization or XStream to deserialize data from an untrusted
source. A vulnerable application could be exploited for remote
code execution, including executing arbitrary shell commands.


For Debian 6 "Squeeze", these problems have been fixed in version
2.0b4-12+deb6u1.

We recommend that you upgrade your bsh packages.



-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQJ8BAEBCgBmBQJW1FwTXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hkp78QALYrnVIaBJW3AAImW147+9Zf
Jc8Y6bioIqoxPpGB5HeIAZ1D1eWq8qMIwNUQW4PCI18m/OzeUxHWYsJ30fzFowCg
rervz9JbdA/a9fIZChwyNmvOfIiakrYIl9w6QXZF0FZyVcNEL+wwJsnIA5Mjdi/4
YaNfHkqxdKJ+Y6+kf9ftLUNZOeEQFaLyaUJqkMeIErRUZSKcn164HXS8Q/KgelSm
SbMJ++6Ha/7PQGEwsO2uyu7CFkZlE5PirPvAQn9DrRaDzEigSqkHNdJVqpK7MBRY
bxmZ2U5BcEFkwjJG8sTxYsGDRgvwvI3RJIu5Qxn5jFSvk1+Yac9uNyB6rd+1hb47
TyAkYikfcSh8DBV/epTxqFfJZuBviSEWa4cL7I0+ze+p397t2VCK/2Fz6J1rL2Qd
YBB8T1wxZbQjtvp7JQTk6X0QN6owW23u5DPji1QnwoLr0UaV3thWUk5apE/o89/+
jpW+rfh+7AB3CZe8jDdzQvQL66ZHzIHBYATCMedxNReLVm7ZqJUJ8JDrs3qRua/C
rgFDS5d1dQWNPfY3rM1EKyIUjsmm8M05K80Wf47hc6zuvNf2xYF1mE2LZkbFRtGX
y92GQFUNgKiWzyhctiQIu//ubv5z4aYTEj5WHfNh7G0vSolgTbrmtsKU4v/zyEQE
aKOrddNlAaRTtbzeBWts
=aF56
-END PGP SIGNATURE-

Re: Unsupported packages for Wheezy LTS

2016-02-29 Thread Markus Koschany 
Am 29.02.2016 um 15:17 schrieb Raphael Hertzog:
> On Thu, 19 Nov 2015, Moritz Mühlenhoff wrote:
>> Another package which needs to be sorted out is the support for
>> Java. wheezy has both openjdk-6 and openjdk-7 (jessie has only
>> -7 and stretch will also only have one version).
> 
> I asked our current sponsors about OpenJDK 6 and none asked
> us to keep supporting it. They are satisfied with having only
> OpenJDK 7 supported in wheezy.
> 
>> sense to only support openjdk-7 in Debian LTS. Some rdeps in
>> wheezy will not allow that, but I think most people use openjdk
>> to run external java apps and not the Java apps packaged in
>> Debian (with maybe Tomcat as the exception).
> 
> Yes, we need to investigate that. I just stumbled on a few packages
> with "openjdk-6-jre | java6-runtime" in their dependencies (like
> "entagged" or "389-console").
> 
> A complete list should be made to see the impact and decide what should
> happen to those packages...

Matthias Klose, the OpenJDK maintainer, stated that he intends to
support OpenJDK 6 until Ubuntu 12.04 reaches EOL in April 2017 [1] and I
think it should be feasible to mirror this approach for Wheezy LTS
provided everyone agrees to keep OpenJDK 6 supported until then.

We discussed the switch to OpenJDK 7 last month [2] and I think the
problematic packages are only those that strictly depend on
openjdk-6-jre like tunnelx and rcran-r-java. Everything else that
declares an alternative dependency on java6-runtime or default-jre
should be fine because OpenJDK 7 provides these dependencies.

In addition I would also suggest to add Tomcat 6 to the list of
unsupported packages when it is declared EOL on December 31, 2016 [3]
and recommend the switch to Tomcat 7.

Regards,

Markus


[1] https://lists.debian.org/debian-java/2016/01/msg00069.html
[2] https://lists.debian.org/debian-lts/2016/01/msg00112.html
[3] https://tomcat.apache.org/tomcat-60-eol.html



signature.asc
Description: OpenPGP digital signature

[SECURITY] [DLA 442-1] lxc security update

2016-02-29 Thread Mike Gabriel 
Package: lxc
Version: 0.7.2-1+deb6u1
CVE ID : CVE-2013-6441 CVE-2015-1335
Debian Bug : #800471

Brief introduction 

CVE-2013-6441

The template script lxc-sshd used to mount itself as /sbin/init in the
container using a writable bind-mount.

This update resolved the above issue by using a read-only bind-mount
instead preventing any form of potentially accidental damage.


CVE-2015-1335

On container startup, lxc sets up the container's initial file system
tree by doing a bunch of mounting, guided by the container's configuration
file.

The container config is owned by the admin or user on the host, so we
do not try to guard against bad entries. However, since the mount
target is in the container, it's possible that the container admin
could divert the mount with symbolic links. This could bypass proper
container startup (i.e. confinement of a root-owned container by the
restrictive apparmor policy, by diverting the required write to
/proc/self/attr/current), or bypass the (path-based) apparmor policy
by diverting, say, /proc to /mnt in the container.

This update implements a safe_mount() function that prevents lxc from
doing mounts onto symbolic links.

-- 

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunwea...@debian.org, http://sunweavers.net


signature.asc
Description: Digital signature

Re: Unsupported packages for Wheezy LTS

2016-02-29 Thread Raphael Hertzog 
On Thu, 19 Nov 2015, Moritz Mühlenhoff wrote:
> Another package which needs to be sorted out is the support for
> Java. wheezy has both openjdk-6 and openjdk-7 (jessie has only
> -7 and stretch will also only have one version).

I asked our current sponsors about OpenJDK 6 and none asked
us to keep supporting it. They are satisfied with having only
OpenJDK 7 supported in wheezy.

> sense to only support openjdk-7 in Debian LTS. Some rdeps in
> wheezy will not allow that, but I think most people use openjdk
> to run external java apps and not the Java apps packaged in
> Debian (with maybe Tomcat as the exception).

Yes, we need to investigate that. I just stumbled on a few packages
with "openjdk-6-jre | java6-runtime" in their dependencies (like
"entagged" or "389-console").

A complete list should be made to see the impact and decide what should
happen to those packages...

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

[SECURITY] [DLA 441-1] pcre3 security update

2016-02-29 Thread Markus Koschany 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: pcre3
Version: 8.02-1.1+deb6u1
Debian Bug : 815921

HP's Zero Day Initiative has identified a vulnerability affecting the
pcre3 package. It was assigned ZDI id ZDI-CAN-3542. A CVE identifier has
not been assigned yet.

PCRE Regular Expression Compilation Stack Buffer Overflow Remote Code
Execution Vulnerability.

PCRE did not validate that handling the (*ACCEPT) verb will occur within
the bounds of the cworkspace stack buffer, leading to a stack buffer
overflow.

For Debian 6 "Squeeze", these problems have been fixed in version
8.02-1.1+deb6u1.

We recommend that you upgrade your pcre3 packages.



-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQJ8BAEBCgBmBQJW1EoTXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkyIIQALXVcVfIppUJJk/maYTs2/i4
yS0KfnhHnaXXaE1Bfmk4bgQvLKehBgE2WGCQUz2WzCWS8P69HKJviPDlS8VnwZxg
7B9l5FUfX8G+eiQcrQWBv+cF5eKijFphqdm69i2aENEC4R1+PQeYOuuOBR0h8ysQ
ZdCuRmEPeIfCD0D18OjJ+oF0yJbtcS6pVGto+272P1rsZhY7TZJo2hcgfPxYjTNC
u02sOkd6rXoiANFKkBmJ71qQCt1ftwgWJ4PyPUZVaHmdpyLADDM5KLn2EASaEte9
1LZgIMUfDILdh/L4SU+S7C+Pp93Xl0A6F6jmbOTTBDwYZcH3ht/2Ff1eb27XSu3t
VOHmCYswQSTGAjP4LiOKe3XGbof7LfdWBehdL1O1642SQtGl0YtjhKAizR0NBIOw
gXi0L3NzTC0rLEd78X2SfHV57HHeqUF/BnFXNJe6ELG+xn08c7BmaYpaAE0hGYYK
jdxpnPrh5RR/dKBAyZV8wGfwAZ6ArahQkWvUm65FaNeK1AQnm6ZmoeQf/cP8XV/t
LNO8RPDaQB/1kT8Rmba+U0S/kupWP/iIBt3RuJG6vV5zDJQc1v0lKCSIp0APPAY3
Ih4RZJJy/rWSdoMwDnrYNISSokJXCa+7VODJJbhfhr12PHePCX8iDuhI5g0RHhgT
wbiG+gwbVoNnmBNHhcH6
=UNG2
-END PGP SIGNATURE-

Accepted bsh 2.0b4-12+deb6u1 (source all i386) into squeeze-lts

2016-02-29 Thread Markus Koschany 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 29 Feb 2016 12:59:05 +0100
Source: bsh
Binary: bsh bsh-gcj bsh-doc bsh-src
Architecture: source all i386
Version: 2.0b4-12+deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description: 
 bsh- Java scripting environment (BeanShell) Version 2
 bsh-doc- Documentation for bsh
 bsh-gcj- Java scripting environment (BeanShell) Version 2 (native code)
 bsh-src- Java scripting environment (BeanShell) Version 2 (source code)
Changes: 
 bsh (2.0b4-12+deb6u1) squeeze-lts; urgency=high
 .
   * Non-maintainer upload by the Debian LTS Team.
   * Fix CVE-2016-2510.
 An application that includes BeanShell on the classpath may be vulnerable
 if another part of the application uses Java serialization or XStream to
 deserialize data from an untrusted source. A vulnerable application could
 be exploited for remote code execution, including executing arbitrary shell
 commands.
Checksums-Sha1: 
 3de393df4e6eb989e0a9a3676157ce5540dc0d45 2069 bsh_2.0b4-12+deb6u1.dsc
 227b9e694a110075d023e013fc3c672b94169460 9096 bsh_2.0b4-12+deb6u1.debian.tar.gz
 83eee716310250bfd20d5ef9a005c2620c8b111b 270696 bsh_2.0b4-12+deb6u1_all.deb
 2dd4227df41b772c02c0f1e870e749244802cc9c 422198 bsh-doc_2.0b4-12+deb6u1_all.deb
 11cf0a93c023e081f5066a2d081b78c45aada546 836072 bsh-src_2.0b4-12+deb6u1_all.deb
 23abe7b31de747c5d92f577b265d5ba67292f6ef 360178 
bsh-gcj_2.0b4-12+deb6u1_i386.deb
Checksums-Sha256: 
 799cd893a68a748fb30a774d38272a6f94554cb7a482650bb1a15adef8cb0b45 2069 
bsh_2.0b4-12+deb6u1.dsc
 490dfac19faf7a89496acbc1c497190b38109487f7e0b5204eb1479883c40f51 9096 
bsh_2.0b4-12+deb6u1.debian.tar.gz
 73b3da5565832155958fd18ca50cce842ba5b727e09cffce1ed1c9616f835430 270696 
bsh_2.0b4-12+deb6u1_all.deb
 1fae8ff921141c03a62d9a6d429984ea772eacb6a9f28b743a34135eece46a10 422198 
bsh-doc_2.0b4-12+deb6u1_all.deb
 277c0b07f17901b37500025d2eb85ef50531277840083e96ccf8a54c89993373 836072 
bsh-src_2.0b4-12+deb6u1_all.deb
 3650b72260d6e88e37ca36eb298327503dbd2da7747e7714f8300c73f1b7aec6 360178 
bsh-gcj_2.0b4-12+deb6u1_i386.deb
Files: 
 c5debd2bd9310e552627619878a4b002 2069 java optional bsh_2.0b4-12+deb6u1.dsc
 8c7d2c6b4bc6974150e21b6b1d2df8df 9096 java optional 
bsh_2.0b4-12+deb6u1.debian.tar.gz
 657f4e78d136aa3f02098cef12da54d7 270696 java optional 
bsh_2.0b4-12+deb6u1_all.deb
 46aa7ee9ebfdb083ab5f9414664c7174 422198 doc optional 
bsh-doc_2.0b4-12+deb6u1_all.deb
 808b48a1bb416dff62dcc24c664fdc63 836072 java optional 
bsh-src_2.0b4-12+deb6u1_all.deb
 2b1ece331b284874513d7c9577279ee9 360178 libs optional 
bsh-gcj_2.0b4-12+deb6u1_i386.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQJ8BAEBCgBmBQJW1D1SXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HknGQP/R1+81lXTaOUb4hUpZXtRpE+
BaP60OPK4g0r1244lKrBM32y8nvpwd4S44yV6pAy84hO/I/xeIMTw0zOEqBxo4oV
Yoz9ngnrMA0GHxEnM5L00cRhXUCN1VIAyAXJa/R8R29y23k62WRHN2SmOfhCH+BP
oqf8NzaKAS5DPrpJf8nAZVv1wU8tR90PcjUqfwzWt+m/WtdYhrtNmTtTYVw5JBmW
xQSaSEFgOattPxrqet42J0h1MErb1QnkL6RzRDs3Lfcjb3YtkHHWgHtBkKPREhoY
2UL/KsrsaC8V1GLr6iAZzy+irafC6yVuS2RubWKpqKyeBhLXezLzkSH1SFWlaEEi
oQoFJJIi28Qus44wHWW23/IrTDGfRAHdrNGvJqhRQU+X+43mSJ9Pc0O2yEFfBfBf
EII7KT54Myf8dK9tRQKYUQoOcLly8/bXTCFM1pp0OALUlhoV2P6Gyp1k9TwEK/qh
FZjUvoGtlzJoklqV1dBT6ckRX9aV68tfabdr5wspvq3qNYsZktvi0G50vT5Ov3n8
D7c++X5Zyd/fqXvMjKDuUgzD3n5OJ3ITMy87v0Xpi/C8LC+ibiPouD9P12T9bKqL
LSUoZvCo8QQVZmwiynbVDnahjNr2YomRzFZfoGPEJJnFtDAWuIK/N4NeDwIFeX3a
m7++FQMzVJeSTslj7KRa
=3yJe
-END PGP SIGNATURE-

Accepted lxc 0.7.2-1+deb6u1 (source amd64) into squeeze-lts

2016-02-29 Thread Mike Gabriel 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Fri, 04 Dec 2015 16:17:06 +0100
Source: lxc
Binary: lxc
Architecture: source amd64
Version: 0.7.2-1+deb6u1
Distribution: squeeze-lts
Urgency: medium
Maintainer: Guido Trotter 
Changed-By: Mike Gabriel 
Description: 
 lxc- Linux containers userspace tools
Closes: 800471
Changes: 
 lxc (0.7.2-1+deb6u1) squeeze-lts; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS team.
   * debian/patches:
 + Add CVE-2015-1335.patch. Backport safe_mount support. Protect container
   mounts against symlinks. Resoled CVE-2015-1335. (Closes: #800471).
 + Add CVE-2013-6441.patch. Use read-only permissions when mounting
   /sbin/init. Resolved CVE-2013-6441.
Checksums-Sha1: 
 ad811a7fbb1c70c328356856acbef2813d737b6f 1749 lxc_0.7.2-1+deb6u1.dsc
 75dfc113a576fa15d46a3736ff788a168de0b258 266877 lxc_0.7.2.orig.tar.gz
 ed09487ae2f4b6d8912fbfddbb413357625c73cd 10818 lxc_0.7.2-1+deb6u1.debian.tar.gz
 0e101694c5fa957596cc4d14381c106b9269656c 142220 lxc_0.7.2-1+deb6u1_amd64.deb
Checksums-Sha256: 
 56a9265a4894b892e2d3eb3bedc65cb6964684fa3099a228ee0167d5b7b1a400 1749 
lxc_0.7.2-1+deb6u1.dsc
 0660edbc08d74275968cb18c8e634aafd6f1ad395419e037d7018f2b1d669b1a 266877 
lxc_0.7.2.orig.tar.gz
 026a61f4a9f20ff8077fec26310308cc6425484057624ac0113f5d48d79648a9 10818 
lxc_0.7.2-1+deb6u1.debian.tar.gz
 38fd5bd4ca5b14a57dfb43e23e792b17ed20e55333ba565acbb23a3d2119af50 142220 
lxc_0.7.2-1+deb6u1_amd64.deb
Files: 
 e96437dc8c4769a36a257c8a85e01245 1749 admin optional lxc_0.7.2-1+deb6u1.dsc
 5c9c6889ba1255217078ea5d1aaf0c82 266877 admin optional lxc_0.7.2.orig.tar.gz
 26b977f71ffeea672b74309285442981 10818 admin optional 
lxc_0.7.2-1+deb6u1.debian.tar.gz
 3fb351d3dee78fa896524a12472ea1db 142220 admin optional 
lxc_0.7.2-1+deb6u1_amd64.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJW1DmHAAoJEJr0azAldxsx4cEQAIs6f+3taDlHq+rwT26YbCdg
J0119WqKb/ASSj1gRUrXIET68d6zyiFhcqAtMisLOvxQqmHZZ5piRctzL+6wOhZu
47F3b9S4kaz4CypNy4fHSj6i7outU8AE1O5mIzwmxqiA1knGPT8iP+aRj/l4J/JC
OWq+oXgYnlVJLrUFBb1l+6uDVY56G1RK+7ASoMIWaW3ow2PC+bhNK4FcAwCQkdai
nnqdQ72IXIaRhtA6LCqwV+zgSEpgNUR7WP3mJkiWIEiATKYu3KOfhTbsJ0UNPB6U
jFxG0OtptKIFdo5JnwJkM3VjrUpoFniq6eC2t+bBPLfQ6EWtZxzR64pkT5VVagcO
D8C7+0E6kwCJgsYzUQxUw/tHiKEQV2y89BA5iuxwJOOqkXoYPYntYdAiE41m/zQa
h7+xOaxho3AiRXE3aaAD1kqLYePajOqV6y9xBRNpP3+dR0a+ZhwBxK0ehlta8uDD
OuLCsVB9nVfUuElc6C0+5X+bQyw3qVdKObD/5sDxyyLCgie3QOSGJSuYYi/bjmbG
TpNTMza5wFc1u0vMHbdCdNJH5RZrSRO4Mp5Fr04lQtjGTYHL4gI8EECrHdIZGOjI
rIO0XOmoTu7PzJR7jERjhhcGWfpaM6MiSJvREmfY1fhove7fMVgqxH8VwGMIFQhG
Yj7ZjEbmdx6R4tomjCUe
=oVMt
-END PGP SIGNATURE-

Re: Wiki update LTS/Using and EOL announcement

2016-02-29 Thread Markus Koschany 
Am 28.02.2016 um 18:12 schrieb Holger Levsen:
> Hi Markus,
> 
> On Sonntag, 28. Februar 2016, Markus Koschany wrote:
>> I have updated https://wiki.debian.org/LTS/Using to prepare for the
>> switch to Wheezy LTS. What do you think about sending an EOL
>> announcement to debian-lts-announce on March 1st? We could simply reuse
>> the official NEWS post [1] and would probably reach those people who
>> normally don't read news on debian.org.
> 
> seems like a great idea to me. Can you do it? ;-)
> 

Yes, I can. :) Here is my proposed draft.


Subject: [SECURITY] Debian 6 Squeeze has reached end-of-life

The Debian Long Term Support (LTS) Team hereby announces that Debian 6
("Squeeze") support has reached its end-of-life on February 29, 2016,
five years after its initial release on February 6, 2011.

There will be no further security support for Debian 6.0.

The LTS Team will prepare the transition to Debian 7 ("wheezy"), which
is the current oldstable release. The LTS team will take over support
from the Security Team on April 26, 2016.

Debian 7 will also receive Long Term Support for five years after its
initial release with support ending on May 31, 2018.

We recommend that you upgrade your systems to Debian 7 "Wheezy".
Instructions can be found at

https://wiki.debian.org/LTS/Using

Debian and its LTS Team would like to thank all contributing users,
developers and sponsors who are making it possible to extend the life of
previous stable releases, and who have made this LTS a success.

If you rely on Debian LTS, please consider joining the team, providing
patches, testing or funding the efforts. More information can be found at

https://wiki.debian.org/LTS/




signature.asc
Description: OpenPGP digital signature